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Attorney Docket # 4925-190PUS 
IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re National Phase PCT Application of 

Timo VITIKAINEN 
International Appln. No.: PCT/EP99/04625 
International Filing Date: 02 July 1999 
For: Authentication Method and System 



PRELIMINARY AMENDMENT 

Assistant Commissioner for Patents 
Washington, D.C. 20231 
BOX PCT 

S I R: 

Prior to examination of the above-identified application please amend the 
application as follows: 



In the Specification : 

Page 3, after line 19, insert the following as a new paragraph: 
-Other objects and features of the present invention will become apparent from the following 
detailed description considered in conjunction with the accompanying drawings. It is to be 
understood, however, that the drawings are intended solely for purposes of illustration and not as 
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a definition of the limits of the invention, for which reference should be made to the appended 
claims. — . 

On page 12, after line 10 (last line), insert the following as a new paragraph: 
—Thus, while there have been shown and described and pointed out fundamental novel features of 
the present invention as applied to a preferred embodiment thereof, it will be understood that 
various omissions and substitutions and changes in the form and details of the devices described 
and illustrated, and in their operation, and of the methods described may be made by those skilled 
in the art without departing from the spirit of the present invention. For example, it is expressly 
intended that all combinations of those elements and/or method steps which perform substantially 
the same function in substantially the same way to achieve the same results are within the scope of 
the invention. Substitutions of elements from one described embodiment to another are also fully 
intended and contemplated. It is the intention, therefore, to be limited only as indicated by the 
scope of the claims appended hereto. — . 

On page 13, line 1, delete "Claims", and insert therefor —What is claimed is: — . 
In the Claims : 

Amend claims 3,4, 8, 9, 12, 13, 14 and 15 to read as follows: 

3. An authentication method according to claim 1, wherein said subscriber identity is 
at least one of an IMS! and an MSISDN of the subscriber. 
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4. An authentication method according to claim 1, wherein said mapping information 
is transmitted in an access request message. 

8. An authentication method according to claim 1, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 

9. An authentication method according to claim 1, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

12. An authentication system according to claim 10, wherein said authentication client 
means (52) is a RADIUS client. 

13. An authentication system according to claim 10, wherein said server (8) is a 
RADIUS server. 

14. An authentication system according to claim 10, wherein said subscriber identity is 
an IMSI or an MSISDN. 
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15. An authentication system according to claim 10, wherein said authentication client 
means (52) is arranged to transmit said mapping information in an access request message to said 
authentication server (8). 

Add the following new claims: 

18. An authentication method according to claim 2, wherein said subscriber identity is 
at least one of an IMSI and an MSISDN of the subscriber. 

19. An authentication method according to claim 2, wherein said mapping information 
is transmitted in an access request message. 

20. An authentication method according to claim 3, wherein said mapping information 
is transmitted in an access request message. 

21 . An authentication method according to claim 2, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 

22. An authentication method according to claim 3, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 
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23. An authentication method according to claim 4, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 

24. An authentication method according to claim 5, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 

25. An authentication method according to claim 6, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 

26. An authentication method according to claim 7, wherein said mapping information 
is generated by an authentication client functionality in a GGSN. 

27. An authentication method according to claim 2, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

28. An authentication method according to claim 3, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

29. An authentication method according to claim 4, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 
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30. An authentication method according to claim 5, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

31. An authentication method according to claim 6, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

32. An authentication method according to claim 7, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

33. An authentication method according to claim 8, wherein said mapping information 
is used for at least one of a service specific charging and addressing of mobile terminals. 

34. An authentication system according to claim 11, wherein said authentication client 
means (52) is a RADIUS client. 

35. An authentication system according to claim 11, wherein said server (8) is a 
RADIUS server. 

36. An authentication system according to claim 12, wherein said server (8) is a 
RADIUS server. 
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37. An authentication system according to claim 11, wherein said subscriber identity is 
an IMSI or an MSISDN. 

38. An authentication system according to claim 12, wherein said subscriber identity is 
an 1MS1 or an MSISDN. 

39. An authentication system according to claim 13, wherein said subscriber identity is 
an IMSI or an MSISDN. 

40. An authentication system according to claim 11, wherein said authentication client 
means (52) is arranged to transmit said mapping information in an access request message to said 
authentication server (8). 

41. An authentication system according to claim 12, wherein said authentication client 
means (52) is arranged to transmit said mapping information in an access request message to said 
authentication server (8). 

42. An authentication system according to claim 13, wherein said authentication client 
means (52) is arranged to transmit said mapping information in an access request message to said 
authentication server (8). 
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43. An authentication system according to claim 14, wherein said authentication client 
means (52) is arranged to transmit said mapping information in an access request message to said 
authentication server (8). 
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REMARKS 

This preliminary amendment is presented to place the application in proper form 
for examination and to eliminate multiple dependency from the present claims. No new matter 
has been added. Early examination and favorable consideration of the above-identified application 
is earnestly solicited. 

Any additional fees or charges required at this time in connection with the 
application may be charged to our Patent and Trademark Office Deposit Account No. 03-2412. 



Respectfully submitted, 

COHEN, PONTANI, LIEBERMAN & PAVANE 





By: (_ /^WQA/a^ 
Michael C. Stuart 
Reg. No. 35,698 
551 Fifth Avenue, Suite 1210 
New York, N.Y. 10176 
(212) 687-2770 



13 December 2001 
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AMENDMENTS TO THE SPECIFICATION AND CLAIMS SHOWING CHANGES 
In the Claims: 

3. An authentication method according to claim 1 [or 2], wherein said subscriber 
identity is at least one of an IMSI [and/or] and an MSISDN of the subscriber, 

4. An authentication method according to claim 1 |any one of claims I to 31, wherein 
said mapping information is transmitted in an access request message. 

8. An authentication method according to claim 1 [any one of the preceding claims], 
wherein said mapping information is generated by an authentication client functionality in a 
GGSN. 

9. An authentication method according to claim 1 [any one of the preceding claims], 
wherein said mapping information is used for at least one of a service specific charging [and/or] 
and addressing of mobile terminals. 

12. An authentication system according to claim 10 [or 11], wherein said 
authentication client means (52) is a RADIUS client. 

13. An authentication system according to claim 10 [any one of claims 10 to 12J, 
wherein said server (8) is a RADIUS server. 
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14. An authentication system according to claim 10 [any one of claims 10 to 13], 
wherein said subscriber identity is an IMSI or an MSISDN. 

15. An authentication system according to claim 10 |any one of claims 10 to 14], 
wherein said authentication client means (52) is arranged to transmit said mapping information in 
an access request message to said authentication server (8). 
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Authentication method and. system 



FIELD OF THE INVENTION 



10 



15 



The present invention relates to an authentication method 
and system for identifying a subscriber of a first network 
in a second network. 



In a GPRS (General Packet Radio Services) system, a packet 
mode technique is used to transfer high-speed and low-speed 
data and signaling in an efficient manner. GPRS optimizes 
the use of network and radio resources. Applications based 
on standard data protocols are supported, and interworking 
is defined with IP-networks. GPRS is designed to support 
from intermittent and bursty data transfers through to 
occasional transmission of large volumes of data. Charging 
is typically based on the amount of data transferred. 

GPRS introduces two new network nodes in the GSM mobile 
network. The Serving GPRS Support Node (SGSN) which is at 
the same hierarchical level as a mobile switching center 
(MSC) and which keeps track of the individual location of 
mobile stations (MS) and performs security functions and 
access control. The SGSN is connected to the base station 
system with a Frame Relay. The Gateway GSN (GGSN) provides 
interworking with external packet-switched networks, and is 
connected with SGSNs via an IP-based GPRS backbone network. 
A HLR (Home Location Register) of the GSM system is 
enhanced with GPRS subscriber information, and a VLR 
(Visitor Location Register) can be enhanced for more 
efficient coordination of GPRS and non-GPRS services and 
functionality, e.g. paging for circuit switched calls that 
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can be performed more efficiently via the SGSN, and 
combined GPRS and non-GPRS location updates. 

In order to access the GPRS services, an MS first makes its 
presence known to the network by performing a GPRS attach. 
This operation establishes a logical link between the MS 
and SGSN, and makes the MS available for paging via the 
SGSN, and notification of incoming GPRS data. In order to 
send and receive GPRS data, the MS shall activate the 
packet data address it wants to use. This operation makes 
the MS known in the corresponding GGSN and interworking 
with external data networks can commence. User data is 
transferred transparently between the MS and the external 
data networks with a method known as capsulating and 
tunneling, wherein data packets are equipped with GPRS- 
specific protocol information and transferred between the 
MS and the GGSN. This transparent transfer method lessens 
the requirement for the GPRS mobile network to interpret 
external data protocols, and it enables easy introduction 
0 of additional interworking protocols in the future. 

In case a mobile subscriber wishes to access a value added 
service (VAS) provided by an IP network, a service specific 
charging is a mandatory feature of the corresponding VAS 

5 platform for mobile operators. This means that operators 
need service platforms which are capable of performing 
charging based on e,g. an accessed WML content or URL 
(Uniform Resource Locator) and delivered messages. However, 
MS identification in VAS platforms connected to the GPRS 

0 network or other mobile packet switched networks is not 
trivial. The reason therefore is that a VAS platform 
receives only IP packets from a certain source address 
which is normally only a dynamic IP address of an MS and 
thus not sufficient at all for identifying that MS. 
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Furthermore, an MSISDN (Mobile Station ISDN number) is 
required which is especially important for messaging 
services (e.g. multimedia messaging) in order to prevent 
additional HLR queries. 

A known MS identification is performed e.g. by using user 
names, passwords or cryptographic keys. However, these 
types of solutions are complex to operate/manage for mobile 
operators. Moreover, such solutions normally require their 
own management systems and data bases which are not 
necessarily consistent with existing billing or charging 
systems of mobile operators where the IMSI (International 
Mobile Subscriber Identity) or the MSIDSN are the key of 
the CDRs (Call Detail Records) . 

Alternatively, an authentication service could be performed 
in the HLR. However, this solution leads to a significant 
rise of the load in the HLR which is already a crucial 
node . 

SUMMARY OF THE INVENTION 

It is therefore an object of the present invention to 
provide an authentication method and system, by means of 
which VAS platforms may identify an MS accessing services 
of the VAS platform. 

This object is achieved by an authentication method for 
identifying a subscriber of a first network in a second 
network, comprising the steps of: 

allocating an address of said second network to said 
subscriber; 
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generating information about a mapping between the 
subscriber's address in said second network and a 
subscriber identity; and 

transmitting the mapping to said second network. 

Furthermore, the above object is achieved by Authentication 
system for identifying a subscriber of a first network in a 
second network, comprising: 

a gateway device comprising allocation means for allocating 
an address of said second network to said subscriber, and 
authentication client means for generating an information 
about a mapping between said address of said second network 
and a subscriber identity, and for transmitting said 
mapping information to said second network; and 
an authentication server provided in said second network 
and adapted to log and maintain said mapping information. 

Furthermore, the above object is achieved by a gateway 
device for connecting a first network to a second network, 
comprising: 

allocation means for allocating an address of said second 
network to a subscriber of said first network; and 
authentication client means for generating an information 
about a mapping between said address of said second network 
and a subscriber identity, and for transmitting said 
mapping information to said IP network. 

Accordingly, a mapping information between the address of 
the second network and the subscriber identity is generated 
and supplied to the second network. Thereby, a client- 
server connection is achieved, which allows the actual 
subscriber identity of a dynamic address of the second 
network to be handled over to the second network. The 
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second network uses the mapping of the address of the 
second network and the subscriber identity for identifying 
the subscriber . 

5 Since the first network, e.g. the GGSN , includes an 

information about the mapping between the address of the 
second network and the subscriber identity, new mapping 
data can be transmitted to the second network, if the 
mapping has changed, 

10 

Preferably, the subscriber identity is the IMSI and/or the 
MSISDN of the subscriber. Thereby, a multimedia messaging 
service may identify the recipient using the MSISDN, and 
the recipient may identify the message sender based on the 
15 MSISDN provided by the multimedia messaging service center, 
such that HLR queries are no longer required. Furthermore, 
the MSISDN or IMSI may be used by a charging function for 
identifying the subscriber in order to perform a service 
specific charging . 

20 

The mapping information may be transmitted in an access 
request message, such as a RADIUS access request message. 

Preferably, an authentication server functionality may be 
25 provided for a VAS platform, wherein the access request 
message is transmitted to the authentication server 
functionality of the VAS platform, and the mobile terminal 
is identified in the VAS platform based on the mapping 
information. In this case, the authentication server 
30 functionality may be included in the VAS platform or, 

alternatively, the authentication server functionality may 
be provided by a dedicated authentication server. 
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In case the gateway device is a GGSN , the mapping 
information may be generated by an authentication client 
functionality in the GGSN. 

The mapping information may be used for a service specific 
charging . 

The authentication server may be a RADIUS server for the 
VAS platform provided in the second network, wherein the 
VAS platform is adapted to identify the subscriber based on 
the mapping information. 

BRIEF DESCRIPTION OF THE DRAWINGS 

In the following, the present invention will be described 
in greater detail on the basis of a preferred embodiment 
with reference to the accompanying drawings, in which: 

Fig. 1 shows a block diagram of a GPRS network connected to 
an IP network according to the preferred embodiment of the 
present invention, and 

Fig. 2 shows an information flow and processing diagram of 
an access operation to the IP network, according to the 
preferred embodiment of the present invention. 



DESCRIPTION OF THE PREFERRED EMBODIMENT 

In the following, the preferred embodiment of the 
authentication method and system according to the present 
invention will be described on the basis of a GPRS network 
which is an example for a first network and an IP network 
which is an example for a second network. 
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According to Fig. 1, a mobile terminal or mobile station 
(MS) 1 is radio-connected to a GSM network 2 which in turn 
is connected to an SGSN 3 of a GPRS backbone network. The 
5 GPRS backbone network includes a charging server 4 and a 
GGSN 5 connected to an IP network 9, e.g. an intranet of a 
specific operator or the Internet. 

The GGSN 5 comprises an access point unit (AP) 51 which 
10 provides an a.ccess to the IP network 9 and which is 

arranged to allocate an IP address to an MS to be connected 
to the IP network 9. Furthermore, the GGSN 5 includes an 
authentication client unit 52 adapted to provide required 
parameters for an access request issued to the IP network 
15 9. Moreover, the authentication client unit 52 may be 

arranged to clarify/specify the handling of user name and 
password parameters supplied to the desired VAS of the IP 
network 9. 

20 According to an example of the preferred embodiment shown 
in Fig. 1, the IP network 9 is an operator's intranet 
backbone which comprises an address allocation server 6, 
e.g. a RADIUS (Remote Authentication Dial In User Service) 
server, a DHCP (Dynamic Host Configuration Protocol) server 
25 or a DNS (Domain Name Server) , or the like. The address 
allocation server 6 is arranged to respond to an access 
request from the GGSN 5 with either an access-accept or an 
access-reject message. Furthermore, the address allocation 
server 6 performs a host configuration and address 
30 allocation in the IP network 9. 

Additionally, the IP network 9, e.g. the operator's 
intranet, comprises a Value Added Service (VAS) platform 7. 
An example for such a VAS platform may be a Multimedia 
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Messaging Center (MMSC) for delivering multimedia messages 
to requesting subscribers such as the MS 1. Moreover, 
another example for a VAS platform is a Wireless 
Application Protocol (WAP) gateway which provides an access 
5 to the World Wide Web (WWW) based on a corresponding 
Uniform Resource Locator (URL) . 

According to the preferred embodiment of the present 
invention, a dedicated authentication server 8 for the VAS 

10 platform 7 is provided in the IP network 9. The 

authentication server 8 may be a RADIUS server which 
accepts or rejects access requests to the VAS platform 7. 
Furthermore, the authentication server 8 is arranged to log 
or store an access request or a corresponding mobile 

15 subscriber identity, received from the authentication 

client, e.g. RADIUS client, 52 of the GGSN 5. Accordingly, 
the authentication client 52 of the GGSN 5 communicates 
with the address allocation server or specific 
authentication server 8, such that an authentication 

20 client-server connection is established. 

In particular, the authentication client 52 incorporates or 
adds a mapping information zo the access request, based on 
which the actual MSISDN and/or IMSI of an MS requesting a 

25 service from the IP network 9 can be derived at the 
authentication server 8. The mapping information may 
comprise the current IP address, the MSISDN and/or the 
IMSI, or any combination or shortened version, based on 
which the MSISDN and/or IMSI can be derived from the 

30 current IP address. The MSISDN can be obtained by the GGSN 
5 via the SGSN 3 from GSM network 2. 

Thus, the authentication client unit 52 of the GGSN 5 
provides an information about the mapping between the IP 
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Fig. 2 shows an information flow and processing diagram 
indicating the signaling and processing actions performed 
during the exemplary access operation. According to Fig. 2, 
the MS 1 sends an Activate PDP Context Request message to 
5 the SGSN 3, including protocol configuration options and 
parameters such as an NSAPI (Network layer Service Access 
Point Identifier) . Then, the SGSN 3 creates a TID for the 
requested PDP context by combining the IMSI stored in the 
MM (Mobility Management) context with the MSAPI received 

10 from the MS, wherein the SGSN fetches the MSISDN from the 
HLR. Subsequently, the SGSN 3 transmits a Create PDP 
Context Request message to the GGSN 5 including parameters 
such as an APN (Access Point Name), the TID and the MSISDN. 
The AP unit 51 of the GGSN 5 allocates an IP address for 

15 the MS 1, and the authentication client unit 52 

incorporates required parameters for the access request to 
the authentication server 8. In particular, the 
authentication client unit 52 generates mapping data 
indicating a mapping between the allocated IP address and 

20 the MSISDN/IMSI. 

The GGSN 5 sends the access request including the IP 
address and the mapping data to the authentication server 8 
provided for the VAS platform 7. Then, the authentication 
server 8 accepts or rejects the received request. 
Furthermore, the authentication server 8 logs the request 
including the IP address and the mapping data. Accordingly, 
the VAS platform 7 is capable of identifying the MS 1 based 
on the mapping data included in the access request stored 
30 in the authentication server 8. 



25 



The GGSN 5 sends back to the SGSN 
Response message, wherein a cause 
the result of the authentication, 



3 a Create PDP Context 
value is set according to 
i.e. access rejected or 
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address and the MSISDN and/or the IMSI . If this mapping is 
changed, the authentication client unit 52 sends a new 
mapping information to the authentication server 8 of the 
IP network 9. Thereby, the MSISDN and/or IMS I is always 
available to the VAS platform 7. 

The MSISDN can be provided as an additional GTP parameter 
supplied from the SGSN 3 to the GGSN 5. The IMSI can be 
derived from the TID also supplied from the SGSN 3 to the 
GGSN 5. 

The GGSN 5 functions as an access point of the GSM GPRS 
data network for interworking with the IP network 9. In 
this case, the GPRS network will look like any other IP 
network or subnetwork. The ^ccgss to the IP network 9 may 
involve specific functions such as user authentication, 
users authorization, end-to-end encryption between an MS 
and the IP network 9, allocation of a dynamic IP address 
belonging to the addressing space of the IP network 9. In 
case of a non-transparent access to the IP network 9, the 
GGSN 5 takes part in the functions listed above. In 
particular, the MS 1 requesting access to the IP network 9 
is given an address belonging to the operator addressing 
space. The address is given either at subscription, in 
which case it is a static address, or at PDP (Packet Data 
Protocol) context activation, in which case it is a dynamic 
address. This address is used for packet forwarding between 
the IP network 9 and the GGSN 5 and within the GGSN 5. 

In the following, an example for an slccgss operation to the 
IP network 9 via the GPRS backbone network is described 
based on Fig. 2. 
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accepted. Depending on the cause value received in the 
Create PDP Context Response message, the SGSN 3 sends 
either an Activate PDP Context Accept message or an 
Activate PDP Context Reject message to the MS 1. 

Accordingly, by the above access procedure, the VAS 
platform 7 can receive the IP address, the IMSI and the 
MSISDN of an accessing MS, such that the addressing in the 
multimedia messaging service can be based on the MSISDN and 
service specific charging is possible. 

In summary, the present invention relates to an 
authentication method and system for identifying a 
subscriber of a first network in a second network, wherein 
an address of the second network is allocated to the 
subscriber. An information about a mapping between the 
address of the second network and a subscriber identity is 
generated and transmitted to the second network. Thereby, 
an authentication server connection is provided between the 
first network and the second network, such that the 
subscriber identity can be handled over to the second 
network. Thus, a VAS platform of the second network can 
receive the address of the second network and the 
subscriber identity of the subscriber, such that subscriber 
accessing services of the VAS platform can be identified 
for charging and/or addressing purposes. 

It is to be noted that the above described authentication 
method and system can be applied between any gateway device 
between two networks, such as a mobile network and an IP 
network, or a telephone network (e.g., ISDN, PSTN) and a 
closed or open data network. Moreover, the authentication 
server 8 and authentication client unit 52 are not 
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restricted to a RADIUS server and client. It is also to be 
noted that multiple VAS platforms, similar to or different 
from each other, can be attached to the second network at 
the same t ime . 

5 

The above description of the preferred embodiment and the 
accompanying drawings are only intended to illustrate the 
present invention. The preferred embodiment of the 
invention may thus vary within the scope of the attaches 
10 claims. 
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1. An authentication method for identifying a 
subscriber of a first network (2) in a second network, 
wherein an authentication server functionality for a VAS 
platform is provided, comprising the steps of: 

a) allocating an address of said second network (9) to 
said subscriber ; 

b) generating information about a mapping between the 
subscriber's address in said second network (9) and a 
subscriber identity; and 

c) transmitting the mapping to said second network, 

wherein said subscriber is identified in the VAS 
platform based on said mapping information. 

2. An authentication method according to claim 1, 
wherein said mapping information is transmitted to said 
second network, when said mapping between said address in 
said second network and the subscriber identity has 
changed . 

3. An authentication method according to claim 1 or 2 , 
wherein said subscriber identity is an IMSI and/or an 
MSISDN of the subscriber. 
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4 . An authentication method according to any one of 
claims 1 to 3 , wherein said mapping information is 
transmitted in an access request message. 

5 5. An authentication method according to claim 4, 

wherein said request access message is a RADIUS access 
request message. 

6. An authentication method according to claim 1, 
10 wherein said authentication server functionality is 

included in the VAS platform. 

7. An authentication method according to claim 1, 
wherein said authentication server functionality is 

15 provided by a dedicated authentication server. 

8 . An authentication method according to any one of the 
preceding claims, wherein said mapping information is 
generated by an authentication client functionality in a 

2 0 GGSN. 

9 . An authentication method according to any one of the 
preceding claims, wherein said mapping information is 
used for a service specific charging and/or addressing of 

25 mobile terminals. 

10. An Authentication system for identifying a subscriber 
(1) of a first network (2) in a second network (9)/ 
comprising : 

30 a) a gateway device (5) comprising allocation means (51) 
for allocating an address of said second network (9) to 
said subscriber (1) , and authentication client means 
(52) for generating an information about a mapping 
between said address of said second network (9) and a 
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subscriber identity, and for transmitting said mapping 
information to said second network (9); and 

b) an authentication server (8) provided in said second 
network (9) and adapted to log and maintain said 

5 mapping information 

c) wherein said authentication server (8) is a server for 
a VAS platform (7) provided in said second network (9), 
wherein said VAS platform (7) is adapted to identify 
said subscriber (1) based on said mapping information. 

10 

11. An authentication system according to claim 10, 
wherein said gateway device is a GGSN (5) . 

12. An authentication system according to claim 10 or 11, 
15 wherein said authentication client means (52) is a RADIUS 

client - 

13 . An authentication system according to any one of 
claims 10 to 12, wherein said authentication server (8) 

2 0 is a RADIUS server. 

14 . An authentication system according to any one of 
claims 10 to 13, wherein said subscriber identity is an 
IMS I or an MSISDN. 

25 

15 . An authentication system according to any one of 
claims 10 to 14, wherein said authentication client means 
(52) is arranged to transmit said mapping information in 
an access request message to said authentication server 

30 (8). 

16. A gateway device for connecting a first network (2) 
to a second network (9), comprising: 
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a) allocation means (51) for allocating an address of 
said second network (9) to a subscriber (1) of said 
first network (2) ; and 

b) authentication client means (52) for generating an 
5 information about a mapping between said address of 

said second network (9) and a subscriber identity, and 
for transmitting said mapping information to said IP 
network (9), wherein said authentication client means 
(52) is a RADIUS client. 

10 

17. A gateway device according to claim 16, wherein said 
authentication client means (52) is arranged to transmit 
said mapping information in an access request message. 
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(57) Abstract: The present inven- 
tion relates to an authentication 
method and system for identifying 
a subsenber ( 1 ) of a first network 
(2) in a second network (9), wherein 
an address of the second network 
(9) is allocated to the subscriber ( 1 ). 
An information about a mapping 
between the address of the second 
network (9) and a subscriber identity 
is generated and transmitted to the 
second network (9). Thereby, an 
authentication server connection is 
provided between the first network 
(2) and die second network (9), 
such that the subscriber identity 
can be handled over to the second 
network (9). Thus, a VAS platform 
of the second network (9) can 
receive the address of the second 
network and the subscriber ideniity 
of the subscriber (1), such that 
subscriber accessing services of 
the VAS platform can be identified 
for charging and/or addressing 
purposes. 
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